Cudy LT500E Router Hard-Coded Password Vulnerability in Web Interface

A vulnerability exists in the Cudy LT500E Router running firmware versions prior to 2.3.13. The issue arises from the root user account, which retains the default password 'admin', stored in the file '/squashfs-root/etc/shadow' using MD5-crypt hashing. This weak password can be easily decrypted and used for unauthorized access to the router's web interface or other network services, potentially leading to administrative control.

Impact

Exploitation of this vulnerability allows unauthorized access to the router's administrative interface or other network services, using the decrypted password 'admin'. This access can be used to gain root privileges, access sensitive information, modify device settings, or execute arbitrary code.

Reproduction

To reproduce this vulnerability, extract the router's firmware image version LT500E-R42-2.3.13-20250221-111145-flash. After extracting the firmware, locate the shadow file in the squashfs-root directory. The MD5-crypt hash of the root password can be found and cracked using a password-cracking tool, revealing the default password 'admin'. This password can then be used to log into the router's administrative interface or other network-accessible services.

Remediation

Users are advised to upgrade to Cudy LT500E firmware version 2.3.13 or later, which eliminates this vulnerability.